Recently I read an interesting research paper which talked about how Solid-State Drives (SSD) leave behind a horrible amount of old data that was supposed erased after "writing to zeros" and all that. (Not trying to start a debate on that topic.)

Anyways, it got me to wondering this...

If a person wanted the safest of safe end-effect from *software* Full-Disk Encryption (FDE), would that mean that the FDE software should be installed on a "virgin" machine before it was ever used, OR could you have a computer with tons of personal data on it - including residual data that was "deleted" yet not truly erased off the face of the HDD - and still encypt every last bit on the HDD??

(To clarify, this would be for a conventional magnetic HDD, and NOT one of the newer Flash drives.)

My fear is that if I installed something like TrueCrypt on my 4-year-old laptop, that there might be sector or blocks with: Old Cache Files, Data Deleted but not Erased, and so on that might somehow escape being encrypted?! (It seems like *software* FDE encrypts maybe 99% of your HDD, and I am worried about that last 1%...)

Does that make sense?

I am asking this for two reasons...

1.) I hope to buy a new MacBook Pro later this week, and I want to know if I need to set up FDE *before* actually using it to get the best effect?

2.) I have this ancient MacBook that has maybe 400GB of data on it, and I'm curious how effective installing something like TrueCrypt on it would be? (Would doing that so late in the game really protect ALL of my data, or just most of it?!)

Unless your threat actor is a government organisation with a very invested interest in recovering your data - I think you'll be ok with Truecrypting the existing drive.

Asked another way, what would software FDE NOT encrypt?

My understanding is that the difference between hardware FDE and software FDE, is that software FDE does not encrypt or whatever the "Boot Sector".

But after reading about how Flash technology works - or doesn't work?! - it got me to wondering if there are significant portions of my physical HDD that something like TrueCrypt misses, and thus if I had already written unencrypted data to the entire HDD, TrueCrypt might "miss" some of that current or old data?

You're essentially adding random noise to every writable area of your disk, so it makes no difference as to the existing data in place.

As to the previously marked 'bad' sectors of the disk that may be inaccessable to the OS, I suppose you might in theory find a small amount of data in there.

If I had to use an existing HDD, and I was that paranoid about data leakage I would probably:

TomTees wrote:But back to my OP, would you agree that it is better to set up FDE on a virgin machine before you start using it, so - in theory at least - all of your data gets encrypted?

Yes, that is ideal because unencrypted data will never be written to the drive. However, you will still be reasonably secure if you encrypt data in place. You would have to have some insanely valuable data for someone to start rummaging through bad sectors; that is very expensive and time-consuming work.

Think about the scenarios you're trying to protect yourself against. They're probably something along the lines of preventing someone who steals your laptop at a coffee shop from accessing your email, files, etc. There's no need to go overboard or worry about every fluke scenario you read about.

ajohnson wrote:Yes, that is ideal because unencrypted data will never be written to the drive. However, you will still be reasonably secure if you encrypt data in place. You would have to have some insanely valuable data for someone to start rummaging through bad sectors; that is very expensive and time-consuming work.

Think about the scenarios you're trying to protect yourself against. They're probably something along the lines of preventing someone who steals your laptop at a coffee shop from accessing your email, files, etc. There's no need to go overboard or worry about every fluke scenario you read about.

Okay, sounds good.

So, any ideas on the next step, which is "What is the best FDE software to use?"

I was using Truecrypt FDE, but I've heard it doesn't perform particually well with SSDs and trashes them quite quickly, so I've removed it from my own laptop and switched to Truecrypt containers instead.

UKSecurityGuy wrote:I was using Truecrypt FDE, but I've heard it doesn't perform particually well with SSDs and trashes them quite quickly, so I've removed it from my own laptop and switched to Truecrypt containers instead.

^ +1 I heard a few complain about it, on SSD. I'm also using it on a container / folder basis, instead.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'